Sonatype Delivers Premium Open Source Controls to GitHub Users


New Integrations Deliver Enterprise-Grade Open Source Governance and Dependency Management to Millions of GitHub Developers

San Francisco - GitHub Universe – Tuesday, Nov. 12, 2019Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today announced new integrations that strengthen GitHub with premium open source governance and dependency management controls.

Sonatype has long been the world’s premier provider of open source health and hygiene data and beginning today the company is announcing six new Nexus integrations with GitHub:

Automatically fix open source issues with trustworthy pull requests from Nexus Lifecycle

As the use of open source continues to skyrocket, the importance of understanding dependency trees becomes even more crucial to software security and innovation. According to Sonatype’s 2019 State of the Software Supply Chain report, teams that regularly update OSS dependencies deliver higher quality software with 65% fewer vulnerabilities.

This realization is motivating more and more software engineering teams to seek solutions that can automatically open GitHub pull requests to help developers continuously update dependencies.  The challenge, however, is that automated pull requests are not created equal. Different from the competition, only Sonatype generates automatic pull requests that developers can truly trust.

“The easy part of dependency management is creating a service that can automatically open a GitHub pull request whenever new versions of dependencies are published,” said Brian Fox, CTO of Sonatype. “The hard part, however, is creating a service that is smart enough to understand in real-time the integrity of new versions before automatically opening a pull request.” 

Sonatype generated pull requests are more intelligent because they’re based on Nexus Intelligence, giving developers confidence that they’re being recommended the best version available and removing friction in their GitHub pipeline.  Nexus Intelligence, which powers Nexus Lifecycle, has analyzed more than 65 million open source components and cataloged over 10 million open source vulnerabilities, creating incredibly accurate OSS data that decreases noise to give developers greater peace of mind when automatically upgrading dependencies. 

Innovate faster with less friction thanks to unrivaled, precise policy enforcement with Nexus for GitHub Actions 

High velocity DevOps and Continuous Integration practices depend on automation to remain afloat. It’s vital that security is built directly into these pipelines to keep workflows moving and innovation rolling. This velocity makes precision and the highest quality data necessary to identify the best open source to use in software builds. Sonatype’s suite of new integrations with GitHub Actions brings the unique intelligence and power of the Nexus Platform directly to your CI/CD pipeline - making it even easier to develop secure software. 

  • Nexus Lifecycle customers can now automatically enforce their policies and view expert remediation guidance directly in GitHub Actions. Sonatypes unparalleled open source data enables developers to know with extreme confidence, if a component is vulnerable without leaving their environment. Nexus now supports 42 programming languages and package formats.

  • Nexus Vulnerability Scanner (NVS) is a free tool that allows you to see what the Sonatype data difference is all about. Add NVS to your GitHub Actions pipeline to find out what’s really in your software and how we use Advanced Binary Fingerprinting to precisely identify components and eliminate false positives/negatives.

  • Nexus Repository (Pro and OSS) now integrates directly into GitHub Actions making your workflow even easier, by bringing your single source of truth for components, binaries, and build artifacts directly into your CI/CD pipeline. 

  • Sonatype Nancy - is a free tool that checks for vulnerabilities in your Go (Golang) dependencies, by employing the power of OSS Index. Nancy works for projects that use dep or go modules for dependencies, and now integrates with GitHub Actions. 

Additional Resources: 

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 300 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers.  Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit, or connect with us on Facebook, Twitter, or LinkedIn.